网路流量监测与管理

1、网路流量监测与管理网路流量监测与管理2大綱網路基礎Network Traffic Accounting - NetFlowMRTG网路流量监测与管理3Part I網路基礎网路流量监测与管理4網路基礎OSI參考模型SNMP介紹网路流量监测与管理5OSI參考模型(Open System Interconnection)應用層（Application Layer）表達層（Presentation Layer）會談層（Session Layer）傳輸層（Transport Layer）網路層（Network Layer）資料鏈結層（Datalink Layer）實體層（Physical Layer）网

2、路流量监测与管理6网路流量监测与管理7网路流量监测与管理8SNMP簡單網路管理協定（Simple Network Management Protocol）要求/回應協定：GET，SET遠端管理TCP/IP網路上的設備對不同網路節點進行讀取及寫入狀態資訊在UDP上執行Port 161 : sending and receiving requestsPort 162: receiving traps from managed devices网路流量监测与管理9SNMP工作原理SNMP Manager與Agent之間的通訊形式Get-requestGet-next-requestSet-reques

3、tGet-responseTrap网路流量监测与管理10SNMP Manager: a server running some kind of software system that can handle management tasks for a networkSNMP Agent: a piece of software that runs on the network devices you are managingSNMP community: a logical relationship between an SNMP agent and one or more SNMP man

4、agers.网路流量监测与管理11MIB Management Information Base定義網路設備各種資訊的儲存結構Name (OID)Type and syntaxencodingMIB-II所有網路設備皆提供的MIB標準各家廠商也會提供proprietary MIB其他MIB standardsATM MIB (RFC 2515)Frame Relay DTE Interface Type MIB (RFC 2115)BGP Version 4 MIB (RFC 1657)RADIUS Authentication Server MIB (RFC 2619)Mail Monito

5、ring MIB (RFC 2249)DNS Server MIB (RFC 1611)网路流量监测与管理12OID :网路流量监测与管理13SNMP & MIB 相關工具MRTG （Multi Router Traffic Grapher）Getif window-based MIB browsernet-snmp套裝軟體snmpget (get)snmpwalk (get-next)snmpset (set)snmptrap (trap)网路流量监测与管理14网路流量监测与管理15网路流量监测与管理16网路流量监测与管理17su-2.05# SNMPv2-MIB:sysDescr.0 =

6、STRING: Hardware: x86 Family 6 Model 5 Stepping 2 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free) su-2.05# snmpwalk -c public 140.112.1.1 SNMPv2-MIB:sysDescr.0 = STRING: Hardware: x86 Family 6 Model 5 Stepping 2 AT/AT COMPATIBLE - Software: Windows 2000 Version 5

7、.0 (Build 2195 Uniprocessor Free)SNMPv2-MIB:sysContact.0 = STRING: SNMPv2-MIB:sysName.0 = STRING: NTUCC-MADELINESNMPv2-MIB:sysLocation.0 = STRING: SNMPv2-MIB:sysServices.0 = INTEGER: 76IF-MIB:ifNumber.0 = INTEGER: 3IF-MIB:ifIndex.1 = INTEGER: 1IF-MIB:ifIndex.2 = INTEGER: 2IF-MIB:ifIndex.3 = INTEGER:

8、 3IF-MIB:ifDescr.1 = STRING: MS TCP Loopback interfaceIF-MIB:ifDescr.2 = STRING: 3Com EtherLink PCI网路流量监测与管理18網管系統網路管理掌握網路主機狀況加速故障排除減少網管人員的負擔網管系統商業軟體系統整合型系統：收集MIB資料，統計分析，繪圖，事件通知功能多樣化，價格昂貴免費軟體網管系統的一部份功能网路流量监测与管理19Part IINetwork Traffic Accounting网路流量监测与管理20Network Traffic AccountingNetFlow簡介執行NetFlow

9、NetFlow資料統計程式网路流量监测与管理21Network Traffic AccountingThe needs:To characterize the traffic and account for how and where it flowsUsage-based billingTraffic engineeringProductsCisco NetFlowProvides L3 network traffic flow informationFoundry sFlowRFC 3176:Statistically sampling technologyProvides L2-L4 n

10、etwork-wide traffic flow informationJuniper Class-based accounting: filter-based, MPLS-based, Destination class uage accounting网路流量监测与管理22Cisco - NetFlowCaptures data from each incoming packetNetFlow flow a unidirectional stream of IP packet with the following common fields:Source and destination IP

11、 addressesSource and destination port numbersLayer 3 protocol typeType of service (ToS) byteInput interface (ifIndex)Exported in UDP datagrams in one of four formats:v1, v5, v7, v8网路流量监测与管理23NetFlowNetFlow is a three-part solution:ExporterMediation devicesCisco NetFlow FlowCollectorPublic-domain too

12、ls : flow-toolTraffic Analysis Tools Cisco Network Data Analyzer統計分析程式 : 网路流量监测与管理24執行NetFlow設定路由器統計分析流程收集並儲存從網路設備輸出的flow data分析收集到的flow data，並產生報表网路流量监测与管理25執行NetFlow 設定路由器指令Globalip flow-export destination InterfaceIp route-cache flowRouter(config) # ip flow-export destination 140.112.1.1 9991Rout

13、er(config) # int fa1/1/0Router(config-if) # ip route-cache flow网路流量监测与管理26記錄及儲存flow dataflow-tool套裝程式Collection of programs to post-process Cisco netflow compatible flows Written in C, designed to be fastInstallation configure;make;make install on most platforms (FreeBSD,Linux, Solaris, BSDi, NetBSD

14、)下載程式：网路流量监测与管理27Flow-tool安裝程序（以Linux系統為例）解壓縮：zcat flow-tools-0.58.tar.gz | tar xvf 必須先安裝下列軟體：zlibgnu make安裝：./configuregmakegmake install网路流量监测与管理28flow-toolflow-capture：Collect NetFlow exports and stores to disk.Built in compression.Manages disk space by expiring older flow files at configurable l

15、imits.Detects lost flows by missing sequence numbers.网路流量监测与管理29flow-capture z Z n N e E p P w WZ：壓縮比例N：每日留存份數E：共留存幾份在硬碟中P：埠號W：存放路徑Ex: flow-capture z 6 n 143 e 1500 p 9991 w /netflow网路流量监测与管理30測試flow-receive 0/0/9991 | flow-printtcpdump n udp port 9991tcpdump: listening on fxp014:17:39.491510 140.11

16、2.3.76.1024 140.112.3.88.9991: udp 116814:17:39.492820 140.112.3.76.1024 140.112.3.88.9991: udp 116814:17:39.493786 140.112.3.76.1024 140.112.3.88.9991: udp 116814:17:39.495057 140.112.3.76.1024 140.112.3.88.9991: udp 116814:17:39.496298 140.112.3.76.1024 140.112.3.88.9991: udp 116814:17:39.496863 1

17、40.112.3.76.1024 140.112.3.88.9991: udp 116814:17:39.496967 140.112.3.76.1024 140.112.3.88.9991: udp 116814:17:39.497068 140.112.3.76.1024 140.112.3.88.9991: udp 116814:17:39.497176 140.112.3.76.1024 140.112.3.88.9991: udp 116814:17:39.497279 140.112.3.76.1024 140.112.3.88.9991: udp 116814:17:39.497

18、381 140.112.3.76.1024 140.112.3.88.9991: udp 116814:17:39.497486 140.112.3.76.1024 140.112.3.88.9991: udp 116814:17:39.497589 140.112.3.76.1024 140.112.3.88.9991: udp 116814:17:39.497694 140.112.3.76.1024 140.112.3.88.9991: udp 1168网路流量监测与管理31 Newflow資料格式：flow-print f0 logfileSif SrcIPaddress Dif Ds

19、tIPaddress Pr SrcP DstP Pkts Octets0000 195.254.117.168 0000 140.131.7.3 01 0 0 9 504 0000 205.188.248.89 0000 163.28.16.2 06 50 fdb6 5 589 0000 61.229.48.83 0000 192.192.120.18 06 454 17 12 493 0000 207.218.223.162 0000 192.83.193.2 11 35 8000 1 156 0000 207.159.149.84 0000 140.131.1.188 01 0 0 10

20、560 0000 202.178.164.169 0000 203.64.48.107 06 71 9e6 1 40 0000 168.95.1.1 0000 203.71.92.1 11 35 a82c 1 187 0000 210.224.163.3 0000 210.71.107.3 11 3bce 35 1 71 0000 66.207.130.76 0000 163.28.16.2 06 50 fdde 6 782 0000 168.95.1.1 0000 203.71.92.1 11 35 a809 1 60 0000 64.12.24.30 0000 163.28.16.9 06

21、 1bb 76b5 3 120 0000 163.31.102.156 0000 192.192.122.144 06 b3c 50 5 212 0000 163.31.102.156 0000 192.192.122.144 06 1283 50 3 156 0000 211.141.113.77 0000 203.71.88.240 11 fbf fa4 1 295 0000 140.117.11.100 0000 203.72.39.34 06 c38 e25d 7 3893 0000 61.139.8.11 0000 163.28.16.2 06 50 bb03 1 41 0000 1

22、40.117.11.100 0000 203.72.39.34 06 c38 e256 6 1229 0000 210.85.124.196 0000 203.64.48.107 06 28da 17 1 43 0000 140.117.11.100 0000 203.72.39.34 06 c38 e261 13 4909 网路流量监测与管理32統計分析程式將收集並儲存下來的netflow資料予以統計分析產生報表可從網路下載程式以perl撰寫可針對網段、協定、流入/流出之IP網段進行合計或TOP統計台大NetFlow統計網頁网路流量监测与管理33# # Modify the followin

23、g to meet your configuration.# $dir is where you put your program and config files# $rawdir is where the raw log files kept# $outputdir is where the output files should be#$dir = /usr/NetFlow/analysis;$rawdir = /usr/NetFlow/raw;$flowprint = /usr/NetFlow/bin/flow-print;$outputdir = /usr/local/;$htmld

24、ir = sprintf (%s/html/%02d%02d%02d, $outputdir, $year, $mon, $mday);$rawoutput = sprintf (%s/raw, $outputdir);$TopN = 100;NET = (NTUProxy, NTUGeneral);$protfile = $dir/protocols;$servfile = $dir/services;$intranet = $dir/intranet;$DEBUG = 0; # debug info flag$SLEEP_TIME = 0; #debug$COUNT_THRESHOLD =

25、 50; #debug网路流量监测与管理34Part IIIMRTG网路流量监测与管理35MRTGMRTG簡介MRTG使用方式利用MRTG監看其他系統資源网路流量监测与管理36Multi Router Traffic Grapher 用來監測網路連結上之流量的工具運作原理利用SNMP收集網路設備的流量或其他狀態數據將收集到的資料產生網頁，以圖形呈現提供每日，過去七天，過去四週，以及過去12個月的紀錄可接受從外部程式收集的資料，予以統計繪圖网路流量监测与管理37MRTG使用方式取得程式目前最新版是編譯MRTG程式產生MRTG設定檔修改MRTG設定檔測試MRTG輸出自動執行MRTG程式网路流量监测

26、与管理38Compile MRTG必須先確定已安裝下列軟體gdlibpngzlib安裝程序gunzip c mrtg-2.9.18.tar.gz | tar xvf ./configure prefix=/usr/local/mrtg-2makemake install网路流量监测与管理39產生MRTG設定檔設定檔中必須定義欲收集資料的網路設備IP或名稱欲收集之資料種類收集到之資料的存放路徑輸出圖形及網頁的特定格式cfgmaker -global WorkDir: /home/ d/mrtg -global Options_: bits,growright -output /home/mrtg

27、/cfg/mrtg.cfg 网路流量监测与管理40MRTG設定檔語法GlobalWorkDirHtmlDirImageDirLogDirRefreshIntervalLoadMIBs网路流量监测与管理41MRTG設定檔語法Target 指定欲監測哪一台機器targetname: port:targetname: oid_1&oid_2:targetname: snmp_name1&snmp_name2:communityroutertargetname: 1:communityrouterA+2:communityrouterAtargetname: /usr/local/ping-probe

28、/mrtg-ping-probe 第一個參數第二個參數系統uptime表示Target名稱的字串网路流量监测与管理42MRTG設定檔語法Target選項MaxBytes : The maximum value either of the two variables monitored are allowed to reachMaxBytes1 : maxbytes for variable 1MaxBytes2 : maxbytes for variable 2Title : title for the HTML page which gets generated for the graphP

29、ageTop :Things to add to the top of the generated HTML page网路流量监测与管理43MRTG設定檔語法OptionsgrowrightbitsgaugeabsolutenopercentSpecial target nameTargetTarget$Target_网路流量监测与管理44 最基本的 WorkDir: /usr/tardis/pub/ Targetr1: 2: MaxBytesr1: 8000 Titler1: Traffic Analysis ISDN PageTopr1: Stats for our ISDN Line网路

30、流量监测与管理45 包含數個router的WorkDir: /usr/tardis/pub/ Title: Traffic Analysis for PageTop: Stats for PageTop$: Contact The Chief if you notice anybody MaxBytes_: 8000 Options_: growright Titleisdn: our ISDN Line PageTopisdn: our ISDN Line Targetisdn: 2: Titlebackb: our Campus Backbone PageTopbackb: our Cam

31、pus Backbone Targetbackb: 1: MaxBytesbackb: 1250000 # the following line removes the default prepend value # defined aboveTitle: Titleisdn2: Traffic for the Backup ISDN Line PageTopisdn2: our ISDN Line Targetisdn2: 3:网路流量监测与管理46自動執行MRTG程式利用MRTG觀察長期趨勢將MRTG程式設定為定期執行在crontab中加入設定crontab e网路流量监测与管理47利用M

32、RTG監看其他數據MRTG統計數據來源透過SNMP向遠端網路設備取得數據透過外部程式產生數據設定方式在Target選項中設定外部程式執行路徑网路流量监测与管理48網路狀況 round-trip time & packet lossmrtg-ping-probemonitor the round-trip time and packet loss to another networked host從網路下載： mrtg-ping-probe用法mrtg-ping-probe -hsvV -d deadtime -k count -l length -o ping_options -p facto

33、r* min|max|avg|loss|integer / factor*min|max|avg|loss|integer -r rsh:userhost:osname -t timeout hostTargetyahoo : /usr/local/mrtg/mrtg-ping-probe Targetyahoo : /usr/local/mrtg/mrtg-ping-probe p lost/lost 网路流量监测与管理49rootscorpio5:33pm/#/usr/local/ping-probe/mrtg-ping-probe 190189rootscorpio5:35pm/f#/u

34、sr/local/ping-probe/mrtg-ping-probe -t 42 -p loss/loss 00网路流量监测与管理50系統CPU LoadSysstat收集系統CPU utilization data運作方式在crontab中設定定期執行Unix系統的sa1指令，將系統相關資訊收集並儲存在/var/adm/sa/sadd (dd表示目前日期）利用perl程式將儲存在sadd檔案中的系統資訊取出，並輸出為MRTG能夠接受的格式网路流量监测与管理51# crontab0,10,20,30,40,50 * * * * /usr/lib/sa/sa1 &Targetserver_cp

35、u: /usr/local/bin/system-load.sh=#! /usr/local/bin/perlline = sar | tail -3 | head -1 | sed s/ */ /g;data = split(/ /, line0);if (data2 eq ) printf 0n; else printf (%3.0fn, data1 + 0.5);printf (%3.0fn, (data1)+(data2);$uptime = /usr/bin/uptime | sed s/ */ /g;uptime = split(/,/, $uptime);uptime = spl

36、it(/up/, uptime0);$server = /bin/uname -n;printf uptime1n;printf $server;网路流量监测与管理52SunOS aquarius 5.7 Generic_106541-18 sun4u 07/07/0200:00:00 %usr %sys %wio %idle00:10:00 12 4 1 8300:20:00 3 4 1 9200:30:00 12 4 1 8400:40:00 3 4 0 9300:50:00 12 4 1 8401:00:01 3 4 1 9201:10:00 12 4 0 8401:20:00 3 4 0 9301:30:0